From 03b6cc81876df2423c17532b8f2e0ef2bbb6a84b Mon Sep 17 00:00:00 2001 From: Hunt Xu Date: Tue, 6 Feb 2018 18:21:21 +0800 Subject: [PATCH] Enable sha384/sha512 auth algorithms for *Swan drivers Closes-Bug: #1747654 Change-Id: I84d3ac6379bc0b6d483b557f38f3a462f0f1f1bf --- .../services/vpn/device_drivers/ipsec.py | 2 + .../vpn/service_drivers/ipsec_validator.py | 37 ------------------- .../strongswan/test_strongswan_driver.py | 15 ++++++-- .../vpn/service_drivers/test_ipsec.py | 25 +------------ ...hms-for-Swan-drivers-9897b96f90737a20.yaml | 6 +++ 5 files changed, 21 insertions(+), 64 deletions(-) create mode 100644 releasenotes/notes/Enable-sha384-and-sha512-auth-algorithms-for-Swan-drivers-9897b96f90737a20.yaml diff --git a/neutron_vpnaas/services/vpn/device_drivers/ipsec.py b/neutron_vpnaas/services/vpn/device_drivers/ipsec.py index cea02e80a..84121b3fa 100644 --- a/neutron_vpnaas/services/vpn/device_drivers/ipsec.py +++ b/neutron_vpnaas/services/vpn/device_drivers/ipsec.py @@ -151,6 +151,8 @@ class BaseSwanProcess(object): "aes-256": "aes256", "aes-192": "aes192", "sha256": "sha2_256", + "sha384": "sha2_384", + "sha512": "sha2_512", "group2": "modp1024", "group5": "modp1536", "group14": "modp2048", diff --git a/neutron_vpnaas/services/vpn/service_drivers/ipsec_validator.py b/neutron_vpnaas/services/vpn/service_drivers/ipsec_validator.py index 5b22ef18f..49fc45d5b 100644 --- a/neutron_vpnaas/services/vpn/service_drivers/ipsec_validator.py +++ b/neutron_vpnaas/services/vpn/service_drivers/ipsec_validator.py @@ -23,11 +23,6 @@ class IpsecValidationFailure(nexception.BadRequest): "with value '%(value)s'") -class IkeValidationFailure(nexception.BadRequest): - message = _("IKE does not support %(resource)s attribute %(key)s " - "with value '%(value)s'") - - class IpsecVpnValidator(driver_validator.VpnDriverValidator): """Driver-specific validator methods for the Openswan, Strongswan @@ -46,43 +41,11 @@ class IpsecVpnValidator(driver_validator.VpnDriverValidator): key='transform_protocol', value=transform_protocol) - def _check_auth_algorithm(self, context, auth_algorithm): - """Restrict selecting sha384 and sha512 as IPSec Policy auth algorithm. - - For those *Swan implementations, the 'sha384' and 'sha512' auth - algorithm is not supported and therefore request should be rejected. - """ - if auth_algorithm in ["sha384", "sha512"]: - raise IpsecValidationFailure( - resource='IPsec Policy', - key='auth_algorithm', - value=auth_algorithm) - def validate_ipsec_policy(self, context, ipsec_policy): transform_protocol = ipsec_policy.get('transform_protocol') self._check_transform_protocol(context, transform_protocol) - auth_algorithm = ipsec_policy.get('auth_algorithm') - self._check_auth_algorithm(context, auth_algorithm) - - def validate_ike_policy(self, context, ike_policy): - """Restrict selecting sha384 and sha512 as IKE Policy auth algorithm. - - For those *Swan implementations, the 'sha384' and 'sha512' auth - algorithm is not supported and therefore request should be rejected. - """ - auth_algorithm = ike_policy.get('auth_algorithm') - if auth_algorithm in ["sha384", "sha512"]: - raise IkeValidationFailure( - resource='IKE Policy', - key='auth_algorithm', - value=auth_algorithm) def validate_ipsec_site_connection(self, context, ipsec_sitecon): - if 'ikepolicy_id' in ipsec_sitecon: - ike_policy = self.driver.service_plugin.get_ikepolicy( - context, ipsec_sitecon['ikepolicy_id']) - self.validate_ike_policy(context, ike_policy) - if 'ipsecpolicy_id' in ipsec_sitecon: ipsec_policy = self.driver.service_plugin.get_ipsecpolicy( context, ipsec_sitecon['ipsecpolicy_id']) diff --git a/neutron_vpnaas/tests/functional/strongswan/test_strongswan_driver.py b/neutron_vpnaas/tests/functional/strongswan/test_strongswan_driver.py index eb2a1548e..9bcf14547 100644 --- a/neutron_vpnaas/tests/functional/strongswan/test_strongswan_driver.py +++ b/neutron_vpnaas/tests/functional/strongswan/test_strongswan_driver.py @@ -227,7 +227,7 @@ class TestStrongSwanScenario(test_scenario.TestIPSecBase): self.check_ping(site1, site2) self.check_ping(site2, site1) - def test_strongswan_connection_with_sha256(self): + def _test_strongswan_connection_with_auth_algo(self, auth_algo): site1 = self.create_site(test_scenario.PUBLIC_NET[4], [self.private_nets[1]]) site2 = self.create_site(test_scenario.PUBLIC_NET[5], @@ -237,9 +237,18 @@ class TestStrongSwanScenario(test_scenario.TestIPSecBase): self.check_ping(site2, site1, success=False) self.prepare_ipsec_site_connections(site1, site2) - self._override_auth_algorithm_for_site(site1, 'sha256') - self._override_auth_algorithm_for_site(site2, 'sha256') + self._override_auth_algorithm_for_site(site1, auth_algo) + self._override_auth_algorithm_for_site(site2, auth_algo) self.sync_to_create_ipsec_connections(site1, site2) self.check_ping(site1, site2) self.check_ping(site2, site1) + + def test_strongswan_connection_with_sha256(self): + self._test_strongswan_connection_with_auth_algo('sha256') + + def test_strongswan_connection_with_sha384(self): + self._test_strongswan_connection_with_auth_algo('sha384') + + def test_strongswan_connection_with_sha512(self): + self._test_strongswan_connection_with_auth_algo('sha512') diff --git a/neutron_vpnaas/tests/unit/services/vpn/service_drivers/test_ipsec.py b/neutron_vpnaas/tests/unit/services/vpn/service_drivers/test_ipsec.py index c1d5c97b8..fd069f892 100644 --- a/neutron_vpnaas/tests/unit/services/vpn/service_drivers/test_ipsec.py +++ b/neutron_vpnaas/tests/unit/services/vpn/service_drivers/test_ipsec.py @@ -459,31 +459,8 @@ class TestIPsecDriver(base.BaseTestCase): ctxt, FAKE_SERVICE_ID, v4_ip='10.0.0.99', v6_ip='2001::1') def test_validate_ipsec_policy(self): - # Validate IPsec Policy transform_protocol and auth_algorithm + # Validate IPsec Policy transform_protocol ipsec_policy = {'transform_protocol': 'ah-esp'} self.assertRaises(ipsec_validator.IpsecValidationFailure, self.validator.validate_ipsec_policy, self.context, ipsec_policy) - - auth_algorithm = {'auth_algorithm': 'sha384'} - self.assertRaises(ipsec_validator.IpsecValidationFailure, - self.validator.validate_ipsec_policy, - self.context, auth_algorithm) - - auth_algorithm = {'auth_algorithm': 'sha512'} - self.assertRaises(ipsec_validator.IpsecValidationFailure, - self.validator.validate_ipsec_policy, - self.context, auth_algorithm) - - def test_validate_ike_policy(self): - # Validate IKE Policy auth_algorithm - - auth_algorithm = {'auth_algorithm': 'sha384'} - self.assertRaises(ipsec_validator.IkeValidationFailure, - self.validator.validate_ike_policy, - self.context, auth_algorithm) - - auth_algorithm = {'auth_algorithm': 'sha512'} - self.assertRaises(ipsec_validator.IkeValidationFailure, - self.validator.validate_ike_policy, - self.context, auth_algorithm) diff --git a/releasenotes/notes/Enable-sha384-and-sha512-auth-algorithms-for-Swan-drivers-9897b96f90737a20.yaml b/releasenotes/notes/Enable-sha384-and-sha512-auth-algorithms-for-Swan-drivers-9897b96f90737a20.yaml new file mode 100644 index 000000000..fb28781d8 --- /dev/null +++ b/releasenotes/notes/Enable-sha384-and-sha512-auth-algorithms-for-Swan-drivers-9897b96f90737a20.yaml @@ -0,0 +1,6 @@ +--- +prelude: > + Enable sha384 and sha512 auth algorithms for \*Swan drivers +features: + - Users can now specify sha384 and sha512 as the auth algorithm for both IKE + policy and IPsec policy, when using \*Swan IPsec drivers.